Presentation transcript

•to define a set of methods orstandardized protocols that serviceproviders may use to elevate the trustin an electronic identity presented tothem for authentication purposes

3

Why are we doing this work?

•Few consumers have high LOA-credentials.

•User Name and Password is not good enough

•More organizations look to implement systems that requireauthentication at higher Levels of Assurance

•When dealing with consumers and citizens, there is a clear need fordynamic authentication

•a customer should only be asked to do multi-factor authenticationwhen they want to do “a high value transaction”, not as aprerequisite to visiting a website.

•There is an increased interest in transaction-based assurance:“authentication” based on the necessary current conditions ofspecified, validated attributes and agreements.

•Use of a step-up approach to multi-factor authentication.

•Recommendations by the Federal Financial Institutions ExaminationCouncil (FFIEC) and the highly publicized breaches in 2011 have madetrust elevation a more urgent topic.

•Responding to suggestions from the public sector, including the U.S.National Strategy for Trusted Identities in Cyberspace (NSTIC).

4

Approach

1.Phase I: Catalog of Trust Elevation Methods

•Create a comprehensive list of methods being used currently toauthenticate identities online to the degree necessary to transactbusiness where material amounts of economic value orpersonally identifiable data are involved.

•Status: phase is completed–

Committee Note pendingpublication

2.Phase II: Analysis of Trust Elevation Methods

•Analysis of identified methods to determine their ability to providea service provider with assurance of the submitter's identitysufficient for elevation between each pair of assurance levels, totransact business where material amounts of economic value orpersonally identifiable data are involved.

•Status: phase ending, final stages of delivering work

3.Phase III: Establish Trust Elevation Protocol

•Propose a protocol for Trust Elevation

•Status: phase starting

5

Definition of Trust Elevation

Trust elevation:

•Increasing

the strength oftrust

by adding factors

from

the same ordifferent categories oftrust elevation methods

that don’t have the samevulnerabilities.

•There arefive categories of trust elevation methods

•who you are,

•what you know,

•what you have,

•what you typically do and

•the context.

•What you typically do consists of behavioral habits that are independentof physical biometric attributes.

•Context includes, “but is not limited” to, location, time, party, priorrelationship, social relationship and source.

•Elevation can be within

the

classic four X.1254ITU-T LoA (ISO 29115(NIST 800-063))

6

Categories of Trust Elevation Methods

•Who you are

–biometrics, behavioral attributes

•What you know

–shared secrets, public and relationship knowledge

•What you have

–devices, tokens-

hard, soft, OTP

•What you typically do

–described by ITU-T x1254

–behavioral habits that are independent of physical biometric attributes